Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1301137ioo;
        Sun, 22 May 2022 09:55:46 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzFKLLzJ2m978/6lc/XpKzeouVD3FQS2LixBjQ6WPBaIl5If0J/4Zv15Uke8wpWM/D4rJFT
X-Received: by 2002:a17:90b:4c07:b0:1df:f11a:7d4a with SMTP id na7-20020a17090b4c0700b001dff11a7d4amr16271149pjb.214.1653238545875;
        Sun, 22 May 2022 09:55:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653238545; cv=none;
        d=google.com; s=arc-20160816;
        b=gGs44aDsniP45lMRuJ8m89zbK733PtAxyB/dQqOrmDiXXrXT5D7WFFaDRfbI31b5Ws
         DssX4U4bD3Fc2GVzIGID4XGlU2QwpIE/zuX3QBB6QzwNGmRdIk0B6zUIMfknJFdvd6iK
         lZxdhSYFXD8+fc0l6kzp+VQ9meN0Xoovsw4LAaDL8CDwnbtpzlqe61sxcPAIyNySGvWy
         BYrWyrHhq7yb2bVpBVTia7Hix2rjSiG2GoC9z8ECVsDDTsKn4ghzItt7+N/0Ha7YzKX2
         P6H0xHDSxveg1s5S/q6B3gjMayK4TM2vXWr3Kix+vsDGACBblxHXvvZVA7Iegvkv1L+O
         Vs+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=bHToLYCYck7w0PK3UNnET3uYdzmM5j2E7x2JliTU05U=;
        b=Bd3C+COqPeO+12g/2bf0qyP+liK6DqB2yfPdoh6Ks8J8t/anrYyxzuhQLmOMH/+HZQ
         nEqUzC4gjj5XyOS+gGAzzv9IXsfyfxG97HkfquogvF0Fyh/kT/KC+aIiB5+ypi43gMn0
         uIBpCTJHrwPKViPWJGcwIC2t+hdTU+YHmFPFpUFwmj9gLcLkjeXEH4feuT6kCGBbBYvi
         L+z1Gj017C24ikTIC3UOZJdP5VCOHg3kZxLz1b5oKGD6jdeco9S6ObpOLMmWgZ2TnvcX
         38P93QjlF9CZ+1UoOGEncKKVkgmk60vGqFLFOeESUVbkHrpZ1XBpeZn/SJ1bcLccRvl9
         h61Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o2-20020a634102000000b003ab8abd9630si6951673pga.376.2022.05.22.09.55.35;
        Sun, 22 May 2022 09:55:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353361AbiEUHYr (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Sat, 21 May 2022 03:24:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54912 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232990AbiEUHYQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 May 2022 03:24:16 -0400
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 988306CA91;
        Sat, 21 May 2022 00:24:15 -0700 (PDT)
Received: from kwepemi100011.china.huawei.com (unknown [172.30.72.53])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4L4w6J2r3ZzgY89;
        Sat, 21 May 2022 15:22:48 +0800 (CST)
Received: from kwepemm600009.china.huawei.com (7.193.23.164) by
 kwepemi100011.china.huawei.com (7.221.188.134) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Sat, 21 May 2022 15:24:13 +0800
Received: from huawei.com (10.175.127.227) by kwepemm600009.china.huawei.com
 (7.193.23.164) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Sat, 21 May
 2022 15:24:13 +0800
From:   Yu Kuai <yukuai3@huawei.com>
To:     <josef@toxicpanda.com>, <axboe@kernel.dk>, <yukuai3@huawei.com>,
        <ming.lei@redhat.com>
CC:     <linux-block@vger.kernel.org>, <nbd@other.debian.org>,
        <linux-kernel@vger.kernel.org>, <yi.zhang@huawei.com>
Subject: [PATCH -next v3 5/6] nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
Date:   Sat, 21 May 2022 15:37:48 +0800
Message-ID: <20220521073749.3146892-6-yukuai3@huawei.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20220521073749.3146892-1-yukuai3@huawei.com>
References: <20220521073749.3146892-1-yukuai3@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.175.127.227]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 kwepemm600009.china.huawei.com (7.193.23.164)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zhang Wensheng <zhangwensheng5@huawei.com>

When 'index' is a big numbers, it may become negative which forced
to 'int'. then 'index << part_shift' might overflow to a positive
value that is not greater than '0xfffff', then sysfs might complains
about duplicate creation. Because of this, move the 'index' judgment
to the front will fix it and be better.

Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
---
 drivers/block/nbd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index ec736cc52134..349bc3da878d 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1814,17 +1814,7 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs)
 	refcount_set(&nbd->refs, 0);
 	INIT_LIST_HEAD(&nbd->list);
 	disk->major = NBD_MAJOR;
-
-	/* Too big first_minor can cause duplicate creation of
-	 * sysfs files/links, since index << part_shift might overflow, or
-	 * MKDEV() expect that the max bits of first_minor is 20.
-	 */
 	disk->first_minor = index << part_shift;
-	if (disk->first_minor < index || disk->first_minor > MINORMASK) {
-		err = -EINVAL;
-		goto out_free_work;
-	}
-
 	disk->minors = 1 << part_shift;
 	disk->fops = &nbd_fops;
 	disk->private_data = nbd;
@@ -1929,8 +1919,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
 	if (!netlink_capable(skb, CAP_SYS_ADMIN))
 		return -EPERM;
 
-	if (info->attrs[NBD_ATTR_INDEX])
+	if (info->attrs[NBD_ATTR_INDEX]) {
 		index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
+
+		/*
+		 * Too big first_minor can cause duplicate creation of
+		 * sysfs files/links, since index << part_shift might overflow, or
+		 * MKDEV() expect that the max bits of first_minor is 20.
+		 */
+		if (index < 0 || index > MINORMASK >> part_shift) {
+			printk(KERN_ERR "nbd: illegal input index %d\n", index);
+			return -EINVAL;
+		}
+	}
 	if (!info->attrs[NBD_ATTR_SOCKETS]) {
 		printk(KERN_ERR "nbd: must specify at least one socket\n");
 		return -EINVAL;
-- 
2.31.1